Educause Security Discussion mailing list archives

Re: Outsourcing Student Email - Security Concerns?

From: Jesse Thompson <jesse.thompson () DOIT WISC EDU>
Date: Thu, 26 May 2011 21:20:13 -0500

Given recent events, I'm curious if anyone knows if these cloudproviders are storing the plain text passwords, or just the passwordhashes. And if they are hashed, are they also salted with somethingunique for your domain? We know that China has been poking aroundGoogle's servers...

Personally, I feel that any decision to work around deficiencies in thereliability of your architecture, at the possible expense of improvingit, will only lead to further de-prioritization of improvingreliability, which in turn causes you to want to depend on it even less.Sure, you can get away with this for email, but what about everythingelse? Is the importance of email greater than the aggregate sum ofeverything else that depends on SSO? Are you going to decentralize signon for every other campus service? At what point do you decide thatyou're giving your passwords over to too many uncontrollable services?


Jesse Thompson
UW-Madison

On 5/26/11 5:29 PM, Walter Moore wrote:

Yes, and in fact we run a dark site, and we have LDAP servers there
(among various other assets). We could have put the production SAML
server there, but it helped tilt us to syncing instead.


On Thu, May 26, 2011 at 4:47 PM, Dr. Wole Akpose <wole.akpose () morgan edu
<mailto:wole.akpose () morgan edu>> wrote:

    Per:  Another key consideration in favor on password sync over SSO
    for us
    was
    Business Continuity. We're on the coast of Florida, on low land, so
    we must
    plan for complete campus shutdowns even when hurricanes miss us.

    Have you considered offsite Replication of your Identity Server as
    part of
    your BC considerations?

    W. Akpose

    On 5/26/11 4:29 PM, "Mike Porter" <mike () UDEL EDU
    <mailto:mike () UDEL EDU>> wrote:

     >On Thu, 26 May 2011, Francis, Greg wrote:
     >
     >>
     >> As a campus using SSO, I agree that BC is a major consideration. We
     >>chose
     >> the SSO option to keep passwords local. However, when we had an
    internal
     >> event that knocked out our VMWare environment, students lost the
     >>ability to
     >> login to Google. The solution is only as good as its weakest
    link and
     >>our
     >> internal infrastructure is probably that weakest link with
    regards to
     >>Google
     >> Apps. We have not changed our approach as a result of that event
    but it
     >>did
     >> reconfirm a weakness that we had already seen in an SSO
    configuration.
     >>
     >> Greg
     >
     >Same thing here.  I will add that one of the big wins for us with
     >SSO is we can log when and where the logins are coming from.  When
     >investigating hacking issues, this is very useful.
     >
     >Mike
     >
     >Mike Porter
     >Systems Programmer V
     >IT/NSS
     >University of Delaware
     >
     >>
     >>
     >>
     >> On 5/26/11 12:56 PM, "Walter Moore" <moorewr () ECKERD EDU
    <mailto:moorewr () ECKERD EDU>> wrote:
     >>
     >>> Another key consideration in favor on password sync over SSO
    for us was
     >>> Business Continuity. We're on the coast of Florida, on low
    land, so we
     >>>must
     >>> plan for complete campus shutdowns even when hurricanes miss us.
     >>>
     >>> On Thu, May 26, 2011 at 3:42 PM, Barron Hulver
     >>><Barron.Hulver () oberlin edu <mailto:Barron.Hulver () oberlin edu>>
     >>> wrote:
     >>>> We moved everyone go Google Apps for Edu about 3 years ago.  I was
     >>>>involved
     >>>> with negotiating our agreement with Google (before it became more
     >>>>general)
     >>>> and we had our external counsel involved as well.  We didn't
    really
     >>>>make that
     >>>> many changes to the agreement.
     >>>>
     >>>> On the technical side, we also went with a password sync process
     >>>>instead of
     >>>> an SSO.  After discussions with my two people that handle our
     >>>>directories, we
     >>>> decided to implement a reduced single sign-on environment by
    either
     >>>>having
     >>>> applications authenticate directly to one of our two LDAP
    servers or
     >>>>use
     >>>> password synchronization.  I preferred the password sync with
    Google
     >>>>for two
     >>>> reasons:  1) It is convenient for people using POP or IMAP and it
     >>>>enforces
     >>>> our password policies and 2) in the event of a communication
    problem
     >>>>to our
     >>>> central servers (e.g. Internet link is down or LDAP is down -
    almost
     >>>>never
     >>>> happens), the Google services could still be used from home.
      We see
     >>>>this as
     >>>> an advantage in a disaster recovery/business continuity situation.
     >>>>
     >>>>
     >>>> Barron Hulver
     >>>> Director of Networking, Operations, and Systems
     >>>> Center for Information Technology
     >>>> Oberlin College
     >>>> 148 West College Street
     >>>> Oberlin, OH  44074
     >>>> 440-775-8798
     >>>> Barron.J.Hulver () oberlin edu <mailto:Barron.J.Hulver () oberlin edu>
     >>>> http://www2.oberlin.edu/staff/bhulver/
     >>>>
     >>>>
     >>>>
     >>>>
     >>>> -------- Original Message --------
     >>>> Subject:        Re: Outsourcing Student Email - Security Concerns?
     >>>> Date:   Thu, 26 May 2011 11:57:48 -0400
     >>>> From:   Walter Moore <moorewr () ECKERD EDU
    <mailto:moorewr () ECKERD EDU>>
     >>>> Reply-To:       The EDUCAUSE Security Constituent Group Listserv
     >>>> <SECURITY () LISTSERV EDUCAUSE EDU
    <mailto:SECURITY () LISTSERV EDUCAUSE EDU>>
     >>>>
     >>>> To: SECURITY () LISTSERV EDUCAUSE EDU
    <mailto:SECURITY () LISTSERV EDUCAUSE EDU>
     >>>>
     >>>>
     >>>>
     >>>> There have been some fairly public debates about this, notably at
     >>>>Yale.
     >>>>
     >>>>http://www.yaledailynews.com/news/2010/mar/30/its-delays-switch-to-gmai
     >>>>l/
     >>>>
     >>>> Our discussion centered on the Google Apps SLA, but in the end our
     >>>> General Counsel felt was acceptable. We ended up using a
    password sync
     >>>> process instead of SSO, but you could opt to run a SAML server. In
     >>>>that
     >>>> scenario your AD password would not be stored or synced to Google
     >>>>Apps.
     >>>>
     >>>> Be aware that users will, in that scenario, need to set a separate
     >>>> password for external IMAP/SMTP clients (phones etc).
     >>>>
     >>>> On Thu, May 26, 2011 at 11:04 AM, Allen Wood
    <awood () hillcollege edu <mailto:awood () hillcollege edu>
     >>>> <mailto:awood () hillcollege edu <mailto:awood () hillcollege edu>>>
    wrote:
     >>>>
     >>>>     Hello all,
     >>>>
     >>>>     I work for a small community college and we?re currently
    running
     >>>>     Exchange 2010 for student email.  Our VP likes the idea of
    using
     >>>>     Google Apps for Education (or Microsoft?s Live@edu) and
    freeing up
     >>>>     that mail server for something else.  I am leery of making the
     >>>>move
     >>>>     and basically putting the student?s Active Directory
    accounts in
     >>>>     someone else?s hands. I would think there are also possible
     >>>>     compliance issues, but I haven?t really studied that side
    of it
     >>>>yet.
     >>>>
     >>>>     Have any of you ever made either side of this argument
    before?  If
     >>>>     so, would you mind sharing any info that you may have
    available
     >>>>that
     >>>>     may help us decide outsourced vs. locally hosted, and
    maybe even
     >>>>     Google vs. Microsoft?
     >>>>
     >>>>     Thanks in advance for any info-
     >>>>
     >>>>     Allen Wood
     >>>>
     >>>>
     >>>>
     >>
     >> Greg Francis
     >> Director, Central Computing and Network Support Services
     >> 502 E. Boone Ave.
     >> Spokane, WA 99258-0092
     >> 509.313.6896 direct
     >> http://www.gonzaga.edu/its
     >>
     >>
     >
     >-
     >Mike Porter
     >PGP Fingerprint: F4 AE E1 9F 67 F7 DA EA  2F D2 37 F3 99 ED D1 C2




--
+-----------------------------------------------------------------+
Walter R. Moore --  Sr. Systems Administrator, Eckerd College
moorewr () eckerd edu <mailto:moorewr () eckerd edu> --
http://home.eckerd.edu/~moorewr

"It was glorious to see -- if your heart were iron,
And you could keep from grieving at all the pain" - The Iliad (13.355)

I'm on twitter: http://twitter.com/moorewreckerd

***Reminder! ITS will never ask you to e-mail your password!***

Current thread:

Re: Outsourcing Student Email - Security Concerns?, (continued)
- Re: Outsourcing Student Email - Security Concerns? Francis, Greg (May 26)
- Re: Outsourcing Student Email - Security Concerns? Russ Leathe (May 26)
- Re: Outsourcing Student Email - Security Concerns? Radford, Jennifer (May 26)
- Re: Outsourcing Student Email - Security Concerns? Barron Hulver (May 26)
  - Re: Outsourcing Student Email - Security Concerns? Walter Moore (May 26)
    - Re: Outsourcing Student Email - Security Concerns? Francis, Greg (May 26)
    - Re: Outsourcing Student Email - Security Concerns? Mike Porter (May 26)
    - Re: Outsourcing Student Email - Security Concerns? Dr. Wole Akpose (May 26)
    - Re: Outsourcing Student Email - Security Concerns? Allen Wood (May 26)
    - Re: Outsourcing Student Email - Security Concerns? Walter Moore (May 26)
    - Re: Outsourcing Student Email - Security Concerns? Jesse Thompson (May 26)
- Re: Outsourcing Student Email - Security Concerns? John Ladwig (May 26)